m 



Source attack of decoy-state quantum key distribution using 

phase information 

Yan-Lin Tang/ Hua-Lei Yin/ Xiongfeng Ma/ Chi-Hang Fred Fung/ Yang Liu/ Hai-Lin 
Yong/ Teng-Yun Chen/ Cheng-Zhi Peng/ Zeng-Bing Chen/ and Jian-Wei Pan^ 

^Hefei National Laboratory for Physical Sciences 
at Microscale and Department of Modern Physics, 



O . 

p\j , University of Science and Technology of China, Hefei, Anhui, China 



H . 2 



o i' Center for Quantum Information, Institute for Interdisciplinary Information Sciences, 

Ph. 



Tsinghua University, Beijing, China 

^Department of Physics and Center of Theoretical and Computational Physics, 

University of Hong Kong, Pokfulam Road, Hong Kong 



C ■ Abstract 

^ ' Quantum key distribution (QKD) utilizes the laws of quantum mechanics to achieve information- 

theoretically secure key generation. This field is now approaching the stage of commercialization, 
but many practical QKD systems still suffer from security loopholes due to imperfect devices. 
Tij" ' In fact, practical attacks have successfully been demonstrated. Fortunately, most of them only 

in ■ 

CN ' exploit detection-side loopholes which are now closed by the recent idea of measurement-device- 

(^ , independent QKD. On the other hand, little attention is paid to the source which may still leave 

cn 

QKD systems insecure. In this work, we propose and demonstrate a practical attack that exploits 
a source-side loophole existing in qubit-based QKD systems using a weak coherent state source 

X" 

?H ■ and decoy states. Specifically, by implementing a linear-optics unambiguous-state-discrimination 

C^ ■ 

measurement, we show that the security of a system without phase randomization — which is 
a step assumed in conventional security analyses but sometimes neglected in practice — can be 
compromised. We conclude that implementing phase randomization is essential to the security of 
decoy-state QKD systems under current security analyses. 



I. INTRODUCTION 



Quantum key distribution (QKD) aims at offering information-theoretical security for 
secret key expansion [l|, |2| tliat is guaranteed by quantum meclianics. Commercial QKD 
systems have emerged in market and are now under fast development. Despite the security 
proofs in theory, various quantum hacking strategies targeting practical QKD systems have 
been proposed with some of them demonstrated in experiments. These attacks exploit 
certain imperfections in the devices used to build the QKD systems. Until now, most 
practical attacks are launched on the detection side of the QKD system, including the fake- 
state attack g Q. the t,me.h,ft attack fl Q. the phase-remapp,ng attack fl g and the 
detector-blinding attack [9|, |10[ . 

In order to achieve security when imperfect (untrusted) devices are present, QKD schemes 
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12| that are fully device-independent (without assumptions on both the detector and 



source) have been proposed. However, these schemes suffer from their unrealistic requirement 
of high transmission efficiency (with the lowest to-date being 75% 13(1)) which limits their 



use in practice. Recently, the newly proposed measurement-device-independent QKD (MDI- 
QKD) scheme [ij] whose security does not rely on any assumptions on the detection system, 
can defeat all aforementioned detection-side attacks. On the source side, the security proof 
of MDI-QKD scheme relies on a trusted-source scenario, whose security concern is relatively 
less explored. Besides, many other security proofs 15|, ll6|] also rely on stringent assumptions 
on the source side. Any deviation from these assumptions may lead to loopholes that can 
be exploited for eavesdropping. 

The use of different sources directly affects the security. Systems implementing the popu- 
lar Bennett-Brassard 1984 (BB84) protocol l| often use a weak coherent state (WCS) source 
instead of a single-photon source for the transmission of quantum states. Fortunately, such 
a substitution of the source is safe but its security proof [15|, llTJ assumes that the phase of 
the source is randomized. Later security proof by Lo and Preskill [16| eliminated the need 
for phase randomization, but with the performance substantially diminished. 

Even though the security of the BB84 protocol with WCS is proven, there is a substantial 
performance gap between it and the case of single-photon source. A significant achievement 



was made with the proposal of the decoy-state technique [15|, ll8|, |19|, which is an inge 



nious way to greatly improve the performance of the BB84 protocol with WCS, and thus 



decoy-state BB84 with WCS has become one of the most popular schemes for practical im 



plementation. Again phase randomization is assumed in the current security proof 15| , and 



a security analysis for decoy-state QKD without phase randomization is not yet available 



16|. This fact can easily be overlooked and QKD system designers often neglect the im- 
plementation of phase randomization without realizing the danger of opening up a security 
loophole. Indeed, we experimentally demonstrate that this is a major security loophole. 
We propose a practical attack on the source part of a decoy-state QKD system with WCS 
when phase randomization is not implemented. By using a combination of an unambiguous- 



state-discrimination (USD) measurement and a photon- number-splitting (PNS) attack |20|, 
we show that the final key generated by the non-phase-randomized system can be compro- 
mised. 

II. HACKING STRATEGY 



The essence of our hacking strategy is as follows. Since Alice prepares her pulses without 
phase randomization, we may assume that Eve knows the overall phase of every transmitted 
state by Alice in the worst-case scenario. Then, from Eve's point of view, the states sent 
by Alice are drawn from an ensemble of pure states (corresponding to the signal and decoy 
states). Thus, quantum mechanics allows Eve to distinguish between the signal and decoy 
states by a USD measurement. In this way, one of the foundations of the security proof of 



decoy-state QKD, the photon number channel model 15|, is violated. 



Eve's attack is composed of two parts, a USD measurement and a PNS attack strat- 



egy [20|, as shown in Fig. [T] First, Eve performs a positive-operator valued measurement 
(POVM) to distinguish between a signal state and a decoy state without disturbing the quan- 
tum state sent by Alice (see Appendix |A] for details of the USD measurement). Then, she 
measures the photon number. Conditioned on her measurement results of the signal/decoy 
information. Eve may forward some photons to Bob so as to preserve the statistics of a nor- 
mal quantum channel. For a single-photon state. Eve either blocks it or directly forwards 
it without knowing the qubit information; while for a multi-photon state. Eve either blocks 
all copies, or keeps one copy and forwards the rest giving her the full qubit information (see 
Appendix [B] for details of the PNS attack strategy). 

An attack is considered successful if Eve is able to trick Alice and Bob into accepting an 
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FIG. 1. (Color online) Schematic diagram of the USD+PNS attack on a decoy-state QKD system 
without phase randomization. Eve intercepts the quantum states sent by Alice, and then performs 
a USD measurement to distinguish signal/decoy state succeeded by a PNS attack. Conditioned on 
her results of signal/decoy information and photon numbers, she sets the yields smartly so that 
the detection statistics on Bob's side remains the same as the case without attacks. 

insecure key. To show that our attack is successful, we compare the following two key rates: 
(i) a lower bound on the secure key rate from the perspective of Alice and Bob who overlook 
phase randomization and apply the conventional decoy-state post processing, denoted by i?' 
and (ii) an upper bound on the secure key rate taking into account our attack, denoted by 
R^. The former situation assumes that phase randomization is performe d ( but is actually 
not performed) and uses the post-processing scheme presented in Ref. 2l|; the key rate 
lower bound for this case (details shown in Appendix [E]) is 



R' = -Q^H{E^) + Y^iie'^[l - H{e\)], 



(1) 



where Q^ and E^ are the overall gain and quantum bit error rate (QBER); /x denotes the 
expected photon number of the signal state; Y^ and e\ are the yield and error rate of the 
single-photon signal state, respectively, which are estimated by the decoy-state method; and 
H{e) = — elog2(e) — (1 — e)log2(l — e) is the binary Shannon entropy function. Here, we 



assume that Alice and Bob run the efficient BB84 2^ and take the basis sift factor to be 
one. On the other hand, our USD+PNS attack sets an upper bound on the key rate (details 
shown in Appendix ICll: 

j^u ^ Y^e-^ii. (2) 

Note that different values of Y{ are used in the computation of R^ and i?". The value of 
y/ used in the lower bound, R\ is the one estimated by Alice and Bob using conventional 
decoy-state processing and the value used in the upper bound, -R", is the one chosen by 
Eve in the attack. Since the lower bound represents the key rate at which Alice and Bob 



generate a new key that they think is secure, if this rate is greater than what is allowed after 
taking into account our attack, some of the new key must be insecure and Eve has some 
information about it. Thus, our attack is successful if 



-') 



i?' > i?" (attack successful). (3) 

In the following, we show that this inequality indeed holds in our experiment. 

Eve's attack aims to preserve the measurement statistics of Bob in order to conceal the 
attack. We form the attack strategy as an optimization problem subject to preserving the 
gain statistics (see Appendix [C]). On the other hand, we do not constrain the error statistics 
since the error introduced by our attack comes from the error made experimentally in the 
USD measurements and this error probability is negligible. 

III. EXPERIMENT SETUP 

The PNS attack of our USD+PNS hacking strategy requires a quantum non-demolition 



measurement 23l-l26l| on the photon numbers, which is beyond current technology. Thus, we 
assume in the analysis that Eve has the ability to perform the PNS part and we only realize 
the USD measurement in our experiment. 

To demonstrate the attack, we use a phase-encoding BB84 QKD system with strong 



phase-stabilization pulses |27l-l29|. The experimental setup is shown in Fig. O At Alice's 
site, a distributed feedback (DFB) diode with a central wavelength of 1550.12 nm and pulse 
duration of 1 ns operates at a repetition rate of 4 MHz. Then the laser pulse passes through 
two asymmetric Mach-Zehnder interferometers (AMZI). The first one splits the coherent 
pulse generated by the laser source into two time bins, one for the phase stabilization and 
the other for the quantum signal. Then, the decoy state is prepared by randomly modulating 
the intensity of the quantum signal. The intensities of the signal and decoy states, /i and u, 
are set to 0.5 and 0.1 respectively. In the second AMZI, the phase modulator encodes the 
quantum pulse with one of the four BB84 phases, and it performs no action on the strong 
phase-stabilization pulse. 

At Eve's site, the key equipments of USD measurement installation as shown in Fig. [2] are 
the AMZI with the same path-length difference as Alice's first one, and the detector D2 in the 
output arm of destructive interference. Both the phase-stabilization pulse and the quantum 




FIG. 2. (Color online) Schematic diagram of our experiment setup for USD measurement demon- 
stration. Alice's first AMZI splits the signal pulse into two pulses, the strong one for phase stabi- 
lization, and the weak one for the quantum signal modulated by the intensity modulator (IM) to 
be either a decoy state or a signal state. The second AMZI encodes the BB84 states by a phase 
modulator (PM).Then a synchronization pulse is coupled with the signal pulses into a signal fiber 
and sent to Bob. At Eve's site, she utilizes a polarization controller and polarizer (Pol) to compen- 
sate for the polarization change, and a phase shifter (PS) to compensate for the phase drift. Then 
she uses the same AMZI setup as Alice's first one to interfere the quantum pulse with the strong 
phase-stabilization pulse modulated by IM. The interference result either indicates the identity of 
the quantum pulse (signal or decoy) or is inconclusive. 



signal are split into two pulses by a 99:1 beam splitter that matches Alice's first AMZI. 
The fraction of the phase-stabilization light, passing through the arm with the intensity 
modulator, interferes with the fraction of the quantum signal, passing through the arm with 
the phase shifter. With the intensity modulator. Eve can choose to measure either the signal 
or decoy state. Eve's AMZI cancels the path delay between the phase-stabilization pulse 
and the quantum signal pulse, which is set by Alice's first AMZI, and makes the two pulses 
meet and interfere with each other. Identical AMZIs will make perfect interference, and in 
our experiment, we have achieved a high visibility of 500:1. The interference results can be 
divided into two cases: (i) if the pulses in the two arms have the same intensity, detector 
D2 does not click and the USD measurement result is inconclusive; (ii) when detector D2 
clicks. Eve can identify the state sent by Alice. The second case corresponds to a successful 
USD measurement outcome for Eve. 



TABLE I. List of the ideal and experimental probabilities of the USD attack, conditioned on 
signal/decoy states sent by Alice. 





State of 
Alice 


Ideal case 
signal decoy failure 


Experimental case 
signal decoy failure 




signal 
decoy 


Qma.x U i — Qmax 
U Qmax J- Qmax 




IV. 


RESULTS 







The performance of our USD experiment is characterized by two sets of parameters, as 
hsted in Table [H The first one is related to success probabilities. Since the overlap between 
the signal and decoy states is non-zero. Eve's USD measurement cannot succeed with unity 
probability and we denote the success probability when Alice sends a signal (decoy) state 
by g^ (g^). The second set of parameters is related to error probabilities. Note that even 
when the USD measurement succeeds, experimental imperfection may cause the USD to 
report the wrong state. We denote the probability of correctly identifying the input state 
conditioned on a successful USD by ^^ {^y) when Alice sends the signal (decoy) state. These 
key parameters g^, g^,, ^^, and ^„ characterize the effectiveness of our USD attack from Eve's 
perspective and her ability to compromise the security of the QKD system. Details of these 
definitions can be found in Appendix O 

Several aspects of our experiment affect the success probabilities g^ and q^. First is the 
fundamental indistinguishability of non-orthogonal quantum states. Our USD measurement 
acts only on the first pulse and not on the second pulse which encodes the phase information. 
The optimal USD to distinguish the two possibilities of the first pulse, | a/I^) and | \/\)-i has 
maximal success probability (details shown in Appendix |A|) 



gopt = 1 - exp ( -- I v^ - v^n . 
On the other hand, our linear-optics USD setup shown in Fig. [2] achieves only 

_ gopt 

gmax „ • 



(4) 



(5) 



It is an interesting question how to implement a USD measurement to achieve gopt, especially 
with linear optics. When /x = 0.5 and v = 0.1, one obtains gmax = 1-87% and gopt = 



TABLE II. List of experimental results. The standard deviations (in the time domain) of g^, q^, 
^^, and ^y are, respectively, 4.3 x 10~^, 4.0 x 10^^, 0.98%, and 0.40%, which shows that the attack 
system is robust. 



1.18 X lO"'^ 1.16 X 10-'^ 96.90% 98.37% 3.75% 



3.75%. Experimental imperfections and inefficient detectors further reduce the actual success 
probability. 

The measurement results for g^, g,^, ^^, and ^j, over a time period of 748 seconds are 
shown in Table [TTl Note that ^^ {S,v) is near 100%, which indicates that we almost never 
made a mistake in identifying the state. 

Using the experimental values for these parameters, we can derive the key rate upper 
bound as a function of the transmission loss between Alice and Bob, which is shown in 
Fig. [3l Also shown is the the lower bound of the key rate that Alice and Bob thought 
to be achievable with the assumption of phase randomization, which adopts some realistic 
parameters of Bob's setup with super-conducting single-photon detectors 30(|: dark count 
Yq = 10"''', detection efficiency 5%, and misalignment error rate Cd = 2.0% (see Appendix [El 
for derivation). The key result is that when the overall transmission loss is beyond 36.3 dB, 
the upper bound is below the lower bound as shown in Eq. ([3]), and thus our attack allows 
Eve to successfully steal the secret key. 

To illustrate the potential power of the ideal USD+PNS attack, we consider the ideal USD 
measurement and take the success probabilities g^ and q^ to be the theoretically maximum 
of 3.75% and the correct distinguishing probabilities, ^^ and ^u, to be one. This upper bound 
curve is shown in Fig. |3l which indicates that when the overall loss between Alice and Bob 
is only beyond 21.2 dB, the decoy-state BB84 protocol with phase-non-randomized WCS 
is insecure. For comparison, an upper bound curve for the success probability of 23.0% 
corresponding to a relative phase between signal and decoy pulses of vr is also shown. In 
essence, this figure shows that the potential impact of our attack can be significant and 
phase randomization cannot be neglected in decoy-state QKD. 
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FIG. 3. (Color online) Bounds on the key generation rate. The lower bound, given in Eq. ([T]), 
is computed by ignoring the phase randomization problem. The experimental upper bound is 
evaluated by Eq. ([2]) and the data given in Table [Til The region for which the upper bound is 
below the lower bound corresponds to the secret key being stolen by Eve. Also shown are two best 
theoretical upper bounds using ideal values Qfj. = Qu = 23.0%, 3.75% and Cfi = Cu = 1, where the 
dash-dotted (dash) curve corresponds to a setup with a relative phase of vr (0) between signal and 
decoy pulses giving rise to (/^j = Qu = 23.0% (3.75%). Upper bounds corresponding to other relative 
phases fall between these two curves. Note that in our experiment, the relative phase is zero. Our 
attack is successful when the lower bound is higher than the upper bound, which occurs when the 
transmission loss is larger than 36.3 dB (for our experiment), 21.2 dB (for the ideal situation with 
zero relative phase), and 13.3 dB (for the ideal situation with vr relative phase). 

V. CONCLUSION AND DISCUSSIONS 



By exploiting the phase information of the signal and decoy states, our experimental 
attack succeeds in stealing the final secret key when the transmission loss is over a certain 
threshold. We prove that phase randomization cannot be neglected in decoy-state QKD 
using WCS, unless a new security proof is available. Our result also answers a long-standing 
question. Before our work, it was unclear whether performing phase randomization improves 
the key rate performance of decoy-state BB84 using a WCS. Our result implies that per- 
forming phase randomization is strictly better. We remark that our attack is not limited to 
the phase-encoding system with strong phase-stabilization pulses 27H29| on which our ex- 
periment is based. As long as the phase of each state, be it a signal or decoy state, is known 
by Eve, she does not need the strong phase reference from Alice. Eve can simply prepare 



an auxiliary pulse with the corresponding phase. Therefore, this attack can be launched to 
hack a regular decoy-state QKD system without phase randomization. 

A key feature of our experiment is the implementation of USD with linear optics. Even 
with only linear optics, this attack system can efficiently compromise the security of the 
key. To our best knowledge, our work is the first application of USD with linear optics in 
quantum information, which opens a new avenue to fully linear-optics-based implementa- 
tion of general quantum measurements as a powerful technique. Several aspects of our USD 
experiment renders the USD success probability suboptimal. Firstly, our proof-of-concept 
USD experiment is not an implementation of the optimal USD measurement (see Appendix 
|A|) . Secondly, losses in Eve's polarization controller, AMZI and the detector further reduce 
the intensity and hence the success probability. For future work, it is an interesting per- 
spective topic to study the case where Eve knows partial information on the phases. A 
related question will be whether a fully randomized phase is necessary for Alice and Bob to 
guarantee the security. 
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Appendix A: USD measurement 

The key point of decoy-state QKD is that the yield and error rate of single-photon-state 
component can be inferred from the detection statistics of signal/decoy states on Bob's side. 
Here, we want to show that with the phase information of the coherent states. Eve could 
fool Alice and Bob by setting the yields differently for the signal and decoy states. In the 
following discussion, we will illuminate the USD measurement and PNS attack, and give the 
formula for the upper bound of key rate that Alice and Bob can achieve when Eve performs 
the USD+PNS attack. Then some experimental details are present. At last, we will review 
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the one-decoy state protocol and give the lower bound of the secure key rate. 

Considering the one-decoy state protocol [21], where two coherent states are used by 
Alice, a signal state, ly^e*^"), and a weak decoy state, l-y/z/e*^''). Here, /i and v are the 
intensities of the signal and decoy states, respectively, with ^> v] Og and 9d are the phases 
of the signal and decoy states, respectively. Since no phase randomization is performed and 
Alice does not intentionally put any phase difference between signal and decoy pulses, their 
phases are naturally the same and thus we take Og = 6^ = (For the case where Os — ^d^ 0, 
the success probability for Eve's attack will increase as shown in Fig. [3]). 

For the phase-encoding scheme, Alice encodes qubits in the relative phases of the two 
pulses separated by the second Mach-Zehnder interferometer, as shown in Fig. O For BB84 
protocol, she encodes G {0, 7r/2, vr, 37r/2} randomly and sends out. 
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for signal and decoy states, respectively. 

Since the signal and decoy states are not orthogonal (i.e., (V'slV'd) 7^ 0), Eve cannot 
perfectly distinguish them with unity probability. Instead, she performs a USD measurement 
to perfectly distinguish them with probability less than one. We impose that our USD 
measurement acts only on the first pulse and we leave the second pulse which encodes the 
phase information intact. This is because a measurement on the second pulse may destroy 
the qubit encoded in the relative phase. In this case, the failure probability corresponding 
to the optimal USD 3l|-|33| (assuming equal a prior probabilities of \i\}^ and iV'd)? which is 
the case of our experiment) is given by the overlap between the states to be identified: 
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where we define the projection function P{\f)) = \f){f\ for some state \ip). The measure- 

a/oT^), where a = fi,iy; and the outcome 



ment outcome Ea indicates that the input state is 

Ef is inconclusive about whether input state is a signal state or a decoy state. Note that 

the success probabihty corresponding to the optimal USD is 



gopt ^ {y^,\E,\^,) = (v^|i5.| v^> = 1 -P/, (A4) 

and error does not occur since ( a//u/2 E^ a//V2/ = ( a/z^/2 E^ ^v j'l) = 0. The ideal 
probabilities of this optimal USD measurement outcomes are summarized in Table 1. In our 
experiment, we implement the USD measurement with linear optics as shown in Fig. |2l and 
its maximal success probability, assuming 100% efficiency detectors, is given by 

„ _ i-Koiv^-v^)r 

yinax „ 

l-exp(-^^^) (A5) 



_ 9opt 

2 
It is an interesting question to find out a way to implement the optimal USD measurement 

corresponding to Eq. (]A3|) using linear optics. 

Appendix B: PNS attack 

After the USD measurement. Eve measures the photon number of Alice's pulse and 
launches the PNS attack. The photon numbers of the two weak coherent states follow the 
Poisson distribution 

-^ i -I ' 

'■ (Bl) 

p. _ ^'^-^ 

Define the gains, Q^ and Q,y, respectively, to be the probabilities for Bob to get a detection 
event given that Alice sends signal and decoy states, 

Q, = Y,^P^ + Y.^Pl + Y,^P^ + ■■■ 

(B2) 
Q, = Y^P^ + Y^Pt + YiP^ + ■■■ . 

where Yi is the yield of the ^-photon state or the conditional probability of Bob to get a 
detection given that Alice sends out an z-photon states; the superscripts, s and c?, denote 
the signal state and decoy state, respectively. 
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In the post processing of decoy-state QKD, the yield of single-photon state component 
can be informed from the detection statistics of signal and decoy states on Bob's side. The 
underlying assumption of photon number channel model for the security proof of decoy-state 



QKD [l5| can be described as, 

Y: = Yf, (B3) 

which holds when the phases of signal and decoy states are randomized. In our USD+PNS 
attack, Eq. (IB 3 1) is violated when Eve is able to distinguish between the signal and decoy 
states by an USD measurement given the phase information of the coherent states (Note 
that Eq. flB3|) may also be violated even when only partial phase information is known to 
Eve [3^]). She smartly chooses these proportions {Yf and Y^"^) so that her attack will not be 
detected. This is achieved by maintaining the same observed gain statistics {Q^ and Q^^) as 
in the normal situation. 



Appendix C: Key rate upper bound 



In the USD attack. Eve performs the POVM as shown in Fig. [2l Conditioned on these 
results. Eve sets a different yield (detection probability) for each i-photon state. Define g^ 
[q,^) to be the conditional probability for Eve to result in a successful measurement outcome 
when Alice sends out a signal (decoy) state. Both experimental success probabilities, g^ and 
q,y, are limited by the theoretical maximum: 

q^l, qu < gmax (CI) 

where g^ax given in Eq. (jASj can be achieved when Eve's detection efficiency is 100%. 

In practice, even when Eve obtains a successful measurement outcome, she might make 
an error in determining whether the state is a signal or decoy state. Define 

^^ = Viohi^E ^\signal) 

^y = Prob(-E,y I (iecoy) 
to be the conditional probabilities for Eve to guess Alice's state correctly when Eve obtains 
successful measurement outcome and Alice sends out a signal (decoy) state. The relation- 
ship between these probabilities when Alice sends out a signal and decoy state is shown in 
Table IIIII This table appears as part of Table |T] which also shows the ideal probabilities of 
the optimal USD measurement. 
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TABLE III. List of the probabilities of these POVM outcomes, conditioned on different intensity 
states sent by Ahce, and the yields for different POVM outcomes and photon numbers i. 



POVM 


E^ Ey 


Ef 


signal 


9m?m 9/^(1 -^a') 


l-^M 


decoy 


9v(l - iv) quiu 


1 -^i. 


yields 


K z\ 


Xi 



Define Z^, Z^, and Xj to be the yields of the i-photon state, conditioned on Eve getting 
the measurement outcome E^^, E^, and Ef, respectively, as listed on the last line of Table 
mil The yield is the probability that a valid detection occurs when Eve sends a pulse to Bob 
after the attack. We assume that Eve sets Zq, Zq, and Xq to zero. This is because if Eve 
forwards any photon to Bob when she gets a vacuum state, she may introduce errors. The 
quantum no-cloning theorem tells us that when the photon number is one. Eve is unable 
to keep a copy of the qubit information, then the yields Zf , Z^, and Xi will enable Bob to 
generate secure keys from this one-photon state component. 

In our attack, we set Xi = for all i, due to the following reason. Since our implemen- 
tation of the USD measurement destroys the quantum reference pulse, if the USD outcome 
is inconclusive (i.e., Ef), Eve cannot always choose the right intensity for the regenerated 
reference pulse. This increases the error rate on Bob, which alerts Alice and Bob on Eve's 
presence. Thus, in order to avoid this, we design Eve's attack so that when she fails to learn 
the state intensity, she does not forward any pulse to Bob in order to emulate a channel loss. 
This means that Xj = for all i, which we assume for the remaining analysis. Note that if a 
non-demolition method is used to identify the intensity, no additional errors are introduced 
and thus there is no need to set Xf = X^ = for all i. 

Thus, the yields Yf and Yf, from Bob's point of view, are composed of the two successful 
outcomes of Eve as shown in Table IIIIl 






Then, by submitting Eq. (IC3P into Eq. (IB2p . the gains of signal and decoy state are given 
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by 

oo 



oo 



(C4) 



For a normal quantum channel, Alice and Bob should get, 

Q 1 _ e-^A*, 

(C5) 
Q, = 1 - 6-"^ 

If Eve does not want to disturb the detection statistics on Bob's side, she should choose Zf 
and Z^ smartly, so that Eq. flC4p and (ICSP are satisfied. 

In the decoy-state post-processing |21|], the secure key is only derived from the single- 



photon component. Then, the upper bound of the key rate is given by |35| . 

(C6) 
= g,[eX + (l-U^i1e-V 

Now, Eve needs to optimize Z^* and Z^ in order to minimize the upper bound of the key 
rate, Eq. (lC6p . The optimization problem can be stated as follows: 

min y/ (C7) 



subject to 



i=l 

oo 

g. = 1 - e-^'' = J2q, [e.Zr + (1 - e.)Zf ] e 



oo ,■ V 






where all Zf and Z^ are in the regime [0, 1]. In the detection statistics equations, /i and z/ are 
given by Alice's intensity choice, and g^, q^ are determined by both the overlap between the 
signal and decoy states and Eve's USD measurement efficiency. For a given overall efficiency 
7] between Alice and Bob, we can calculate the key rate upper bound. 

Appendix D: Experimental details 

In our experimental demonstration, the laser source is produced by distributed feedback 
(DFB) diode with a central wavelength of 1550.12 nm and pulse duration of 1 ns, operating 
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at a repetition rate of 4 MHz. Alice sets fi = 0.5 and u = 0.1, and randomly modulates the 
signal and decoy states with uniform probabilities. Eve performs the USD measurement for 
the signal and decoy states randomly with equal probabilities as well. 

The experiment results are collected over an operation time of 748 seconds. The fluctu- 
ation of the attack performance through time is shown in Fig. IH where we can see that the 
results are very stable. 





100 200 300 400 500 600 700 

Time(sec) 



100 200 300 400 500 600 700 
Time(sec) 



FIG. 4. (Color online) The experimental results over time for the USD attack demonstration. Note 
that ^fj_ (^1^) is close to 100%, which indicates that we have a nearly perfect interferometer with 
high visibility achieving 500:1. 

In our experiment, the phases of signal pulses and decoy pulses are both zero because 
the phase reference of every pulse is passed to Eve. In some other systems, the relative 
phase between signal and decoy pulses may not be zero (i.e., 6,^ — 6d ^ 0) and it can be 
shown that the success probability of USD is maximized when the relative phase is tt and 
minimized when it is 0, corresponding to 23.0% and 3.75% respectively. With a larger 
success probability. Eve is more capable to steal the final key and thus the upper bound of 
the key rate becomes lower. Figure |3] shows the two upper bounds corresponding to the two 
success probabilities. 



Appendix E: Review of one-decoy state 

The key assumption in the security proof of decoy-state QKD [15] is the equivalence 
between phase-randomized coherent states and the photon number channel model. A weak 
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coherent state can be described as a superposition of photon number (Fock) states 

l«) = |v/^e^0=e-H^/^5^^|n), (El) 



where /x and 9 are the intensity and phase of the coherent state, respectively. Since the 
eavesdropper has no knowledge of phase 6', from her point of view, the density matrix of the 



state should be written as [15 1 

Jo 27r ^n! 

As shown, the state is a Poisson distributed mixture of photon number state \n). Then, 
the channel between Alice and Bob can be understood as a photon number channel. Alice 
uses channel n with a probability of e~^^ to send out an ra-photon state to carry the qubit 
information. 

Based on the photon number channel model, we briefly review the post-processing for 



the one-decoy state protocol 21j. The lower bound of the key rate when Alice and Bob are 



unaware of Eve's attack, is given by 

R' = -Q,H{E,) + Y,fie'^[l - H{ei)], (E3) 

where Q^ and i?^ are the overall gain and quantum bit error rate (QBER), and Yi and ei 
are the yield and error rate of the single-photon state, which are estimated by the decoy 



states. From the analysis of one-decoy state protocol |2l|, one can derive the lower bound 
of Yi and upper bound of ei. 

The gains, Q^ and Qu, are given in Eq. f ICSp . We model the overall QBER in the normal 
quantum channel to be 

E^Q, = eoYo + e,{l-e-^^), (E5) 

where Cq = 1/2 is the error rate of the background count, Yq is the background count 
rate which includes the detector dark count and other background contributions, e^ is the 
probability that a photon triggers the incorrect detector and is due to the misalignment and 

17 



instability of the optical system. As we did not implement Bob's system in our experiment, 
we adopt some realistic parameters of a setup with super- conducting single-photon detectors 



30|: Yq = 10 '^, Crf = 2.0%, and a detection efficiency of 



70. 



[1] C. H. Bennett and G. Brassard, in Proceedings of the IEEE International Conference on 
Computers, Systems and Signal Processing (IEEE Press, New York, 1984) pp. 175-179. 
A. K. Ekert, phys. Rev. Lett., 67, 661 (1991) . 



[2 
[3 

K 

[5 
[6] 

[7] 
[8] 
[9] 

[10 

[11 

[12 



[13: 



[14 

[15: 

[16 

[17: 

[18 
[19 



V. Makarov, A. Anisimov, and J. Skaar, Phys. Rev. A, 74, 022313 (2006). 

V. Makarov and J. Skaar, Quantum Inf. Comput. , 8, 0622 (2008). 

B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, Quantum Inf. Comput., 7, 073 (2007). 

Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, Phys. Rev. A, 78, 042333 (2008). 

C.-H. F. Fung, B. Qi, K. Tamaki, and H.-K. Lo, phys. Rev. A, 75, 032314 (2007)| . 



F. Xu, B. Qi, and H.-K. Lo, |New Journal of Physics, 12, 113026 (2010)[ 



L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, Nature pho- 
tonics, 4, 686 (2010). 

I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, Nature 
Communications, 2, 349 (2011). 

D. Mayers and A. Yao, in FOCS, 39th Annual Symposium on Foundations of Computer Science 
(IEEE, Computer Society Press, Los Alamitos, 1998) p. 503. 



A. Acin, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani, Physical Review Letters, 



98, 230501 (2007^ . 



M. Lucamarini, G. Vallone, I. Gianani, P. Mataloni, and G. Di Giuseppe, phys. Rev. A, 86^ 



032325 (2012) 



H.-K. Lo, M. Curty, and B. Qi, phys. Rev. Lett., 108, 130503 (2012)1 



H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. , 94, 230504 (2005). 

H.-K. Lo and J. PreskiU, Quantum Inf. Comput., 7, 0431 (2007). 

D. Gottesman, H.-K. Lo, N. Liitkenhaus, and J. Preskill, Quantum Inf. Comput., 4, 325 

(2004). 

W.-Y. Hwang, Phys. Rev. Lett. , 91, 057901 (2003). 

X.-B. Wang, Phys. Rev. Lett. , 94, 230503 (2005). 

18 



[20 

[21 

[22; 
[23; 

[24 



G. Brassard, N. Liitkenhaus, T. Mor, and B. C. Sanders, |Phys. Rev. Lett. , 85, 1330 (2000) . 
X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, Phys. Rev. A, 72, 012326 (2005). 
H.-K. Lo, H. F. Chau, and M. Ardehali, Journal of Cryptology, 18, 133 (2005). 



N. Imoto, H. A. Haus, and Y. Yamamoto, [Phys. Rev. A, 32, 2287 (1985)i 



M. Brune, S. Haroche, V. Lefevre, J. M. Raimond, and N. Zagury, phys. Rev. Lett., 65, 976 



(1990) 



M. J. HoUand, D. F. Walls, and R Zoller, |Phys. Rev. Lett., 67, 1716 (1991) 



P. Grangier, J. Levenson, and J. Poizat, [NATURE, 396, 537 (1998) , 



[25; 

[26 

[27] Z. Yuan and A. Shields, Optics Express, 13, 660 (2005). 

[28] T. Chen, H. Liang, Y. Liu, W. Cai, L. Ju, W. Liu, J. Wang, H. Yin, K. Chen, Z. Chen, et al, 
Optics Express, 17, 6540 (2009). 

[29] M. Peev, C. Pacher, R. Alleaume, C. Barreiro, J. Bouda, W. Boxleitner, T. Debuisschert, 
E. Diamanti, M. Dianati, J. F. Dynes, S. Fasel, S. Fossier, M. Fiirst, J.-D. Gautier, O. Gay, 
N. Gisin, P. Grangier, A. Happe, Y. Hasani, M. Hentschel, H. Hiibel, G. Humer, T. Langer, 
M. Legre, R. Lieger, J. Lodewyck, T. Loriinser, N. Liitkenhaus, A. Marhold, T. Matyus, 
O. Maurhart, L. Monat, S. Nauerth, J.-B. Page, A. Poppe, E. Querasser, G. Ribordy, 
S. Robyr, L. Salvail, A. W. Sharpe, A. J. Shields, D. Stucki, M. Suda, C. Tamas, T. Themel, 
R. T. Thew, Y. Thoma, A. Treiber, P. Trinkler, R. Tualle-Brouri, F. Vannel, N. Wa- 
lenta, H. Weier, H. Weinfurter, L Wimberger, Z. L. Yuan, H. Zbinden, and A. Zeilinger, 



New Journal of Physics, 11, 075001 (2009) 



[30] K. ichiro Yoshino, M. Fujiwara, A. Tanaka, S. Takahashi, Y. Nambu, A. Tomita, S. Miki, 



T. Yamashita, Z. Wang, M. Sasaki, and A. Tajima, ppt. Lett., 37, 223 (2012) 
[31] L Ivanovic, physics Letters A, 123, 257 (1987) 



[32] D. Dieks, [Physics Letters A, 126, 303 (1988)| . 



[33] A. Peres, physics Letters A, 128, 19 (1988) 



[34] S.-H. Sun, M. Gao, M.-S. Jiang, C.-Y. Li, and L.-M. Liang, |Pi^. Rev. A, 85, 032304 (2012 
[35] X. Ma, C.-H. F. Fung, F. Dupuis, K. Chen, K. Tamaki, and H.-K. Lo, Phys. Rev. A, 74, 
032330 (2006). 



19 



